GSMA Security Certification

SAS-SM
for Consumer

One of the factors raising the costs of the subscription management service is the certification in accordance with the GSMA SAS-SM (Security Accreditation Scheme for Subscription Manager) and the costs of the GSMA certificates. The efforts and costs to perform SAS certification create high entry barriers for players interested in hosting and operating their own subscription manager or its components.
These costs, which must be borne by the operators of subscription management services, practically block the flexible deployment scenarios (cloud-based service) and the possibility of applying pay-as-you-grow models, which are particularly interesting for the cost-sensitive IoT market.

In the consumer market the GSMA certification of eSIM production (SAS-UP) and subscription manager (SAS-SM) provides a great benefit for all ecosystem players ensuring compliancy of the devices and of the infrastructure with certain security and functional requirements.

Still, even in this case the access to the certificate chains shall not be only restricted by the fact of GSMA SAS certification. For example, SAS certification creates only additional costs for a Connectivity Service Provider, who wants to host DP+ in its own private cloud, bringing no benefits, except the access to GSMA certificates.
Considering the fact, that DP+ manages the credentials owned by the connectivity provider, CSP as GSMA Member shall have the access to GSMA certificates for the solution as long as DP+ is hosted in accordance with the security policies of this CSP.

SAS certification makes definite sense for 3rd party providers because it provides the guarantee to the CSPs that the service of this 3rd party is compliant with well-known security standards.  

 

SAS-SM
for M2M/IoT

Unlike in the consumer space, the global cross-border IoT applications are only a niche product. The IoT application market is highly fragmented in terms of geography and verticals. While some IoT applications may benefit from the GSMA certification program (automotive segment is a good example), other IoT services might be designed to comply with specific security models or to follow proprietary functional architecture, only relying on GSMA standard in the functionality limited to remote eSIM management commands.

The strict compliance with the requirements might even introduce a drawback in design of innovative IoT services or introduce unnecessary additional costs.

In most of the IoT cases, the roles and responsibilities of the service stakeholders are governed legally. These legal agreements shall not be necessarily supported by technical means defined and mandated for SAS certification by GSMA.

Another aspect to consider with regard to SAS certification is the national or regional nature of IoT projects. The main focus of this kind of project is assurance of the compliance with local regulation. GSMA certification does not provide any help in meeting these requirements.

The market experience shows that SAS certification in its current form addresses the needs of a small market segment and definitely does not reflect the needs of the majority of IoT services in their variety. If GSMA really wants to support the IoT market, a more flexible approach to certification of services would definitely facilitate the market adoption of eSIM technology and open the doors for new innovative service offerings.

 

SAS-SM
in the cloud

The vast majority of the Subscription Management services is offered by datacenters hosted by the respective service provider. GSMA, in the self-declaration form (SGP.16 or SGP.24), does not even consider the option that the Subscription Manager software can be provided by another company than the hosting party. In the ideal GSMA world, the software is developed and offered as a service (SaaS) by one and the same provider, and this service is certified in accordance with GSMA SAS requirements. This vision of the "ideal world" is unfortunately very narrow and does not reflect the reality. There is nothing exotic in the case when SM services are offered by one company, hosting the software developed by another company in a datacenter operated by the third one.

One very well-known weak point of the "ideal world" is the SAS certification of the SM service deployed in the cloud. Even if one SM service provider claims that he can offer cloud-based services the reality is slightly different. Some SAS requirements, such as physical access to the data center by auditors or FIPS 140-2 Level 3 HSM service compliance, may prevent public cloud services providers from offering an SAS-compliant cloud environment, such as those long offered for payment applications that comply with the Payment Card Industry Data Security Standard (PCI DSS). While not entirely impossible, ensuring SAS compliance for use in public cloud deployment requires greater effort on the part of the public cloud service provider and the application provider and is highly controversial with the public cloud philosophy and the obvious benefits it offers.

While discussing the public cloud deployment scenarios, it is important to remember that the Subscription Management service shall operate in compliance with national or regional regulatory requirements. Some countries have already mandated certain level of localization of the Subscription Management service and it is to be expected that the number of these countries will grow. These local regulations limit the benefits of the service offering from the public cloud, forcing the service providers and their customers to prefer localized service deployments, sometimes even leading to creation of a national service provider of the Subscription Management services. What, in turn, raises the question of the benefits of the GSMA SAS certification.